IEC Protects Internal Systems with Valid Authentication

July 16, 2013 Alex Woodie

When it comes to security, there are few groups who take it quite as seriously as the Israelis. And when it came to protecting the systems that control the country’s electric grid, it’s notable that the Israel Electric Corp. (IEC) is using Valid Technologies IBM i-based VSSA technology to provide strong biometric authentication.

The principals were not willing to part with much information about the IEC implementation, which Valid Tech announced back in 2009. That’s not surprising, as secrecy is one of the primary tenants of security. “Loose lips sink ships,” after all. But what has been disclosed paints a picture of an organization that has gone to great measures to protect the security of its critical infrastructure.

Because of the politics of the Middle East, Israel’s neighbors don’t share electricity with the nation. As a result, Israel’s state-owned electric company, IEC, built its own isolated electric grid. The grid is composed of 17 power stations, nearly 200 switching stations and substations, and generates and distributes about 12,000 megawatts of electricity across the nation.

Security has always been important to electric grid operators, but the threats have evolved in recent years. Ten years ago, the idea that a cyber attack could disable or destroy a core piece of national infrastructure such as an electric grid was not talked about openly.

Today, such warnings are common place. Cyber security experts today often publicly warn nations about the need to take action and bolster defenses against hackers, terrorists, rouge states, and nationally backed cyber warriors. In the U.S. this is one of the rationales behind upgrading older electric grids to new “smart” grids that are not as susceptible to cascading failures as today’s100-year-old grids are.

IEC’s headquarters in Haifa, Israel. The 30-story office building is the 13th tallest building in the country. (Source: Sambach).

The potential for a cyber attack to inflict harm on industrial systems was made evident with the 2010 Stuxnet attack on the Iranian nuclear centrifuges. That attack, which is thought to be the work of the U.S. and Israel governments, utilized a Windows-based worm to wreak havoc on Siemens programmable logic controllers, and is said to have set back the Iranians nuclear weapon program by years.

Such cyber attacks cut both ways, of course, and the IEC has undoubtedly warded off attempts to infiltrate its internal control systems and damage the grid. Obviously, the IEC won’t discuss in detail the measures it has taken to block such attacks. But we do know at least one component of its internal security system: the IBM i-based Valid Secure System Authentication (VSSA).

IEC uses VSSA coupled with fingerprint scanners to prevent unauthorized access to its internal control systems. Any engineers or other IEC employee who needs to log onto the computers that control the grid must first have their fingerprints authenticated by VSSA.

What’s notable about the installation is that IEC was not a big user of IBM i servers before the VSSA implementation, if it was an IBM i user at all (it’s not clear if it was an IBM i user before the Valid deal). The utility bought a pair of IBM i servers for the express purpose of using them to run VSSA and to provide an important level of protection for critical systems.

That’s a big vote of confidence in the VSSA product, and a big plus mark in favor of Valid, which can provide authentication for any type of server or application, not just those running on IBM i.

“The way I talk about the VSSA product is it’s the equivalent of middleware that makes it possible for business logic programmers to enable biometric authentication without having to know anything about the details of biometrics,” Valid president Pat Botz told IT Jungle recently. “I think that’s probably what initially drew the IEC in. They looked at it, and thought ‘Great, we don’t have to become biometric authentication experts.'”